This flaw is due to an input validation error in the "resources/includes/popp.config.loader.inc.php"(line 25) that does not validate the "cfg['popphoto_base_path']" variable properly. Remote attackers can includemalicious scripts and execute arbitrary commands with the privileges of the web server